Maybe don’t call Saul? Over 30,000 VoIP devices identifiable worldwide, some with suspected vulnerabilities

Pierluigi Paganini May 12, 2021

Thousands of public-facing devices can be accessed anywhere in the world, from the US to Russia, from London to Johannesburg. Our research shows that large and small manufacturers are identifiable, with Aastra-Mitel topping the list.

As with many inventions of the 20th century, the internet has drastically changed using the phone. Once a vital necessity in every building, PBX boxes are driven towards extinction by devices supporting Voice over Internet Protocol (VoIP).

As the name implies, VoIP allows making calls via the internet and serves as a perfect solution for businesses seeking to get the best of two, GSM-based and internet-based, worlds. Usually, VoIP devices employ a session initiation protocol (SIP) to transmit various forms of media.

However, as with everything connected to the internet, beware of vulnerabilities. Surprisingly, our research identified 38,335 public-facing VOIP/SIP devices worldwide. Aastra-Mitel tops the manufacturer list, the United States leads the list among countries, and London tops the chart among cities.

Ideally, none of those devices should have been identifiable as phones to avoid unwanted attention from threat actors. Unwanted attention might translate to compromised devices being used to perform denial of service or, in some cases, to overtake the communication line and act as a man in the middle.

Simply put, a compromised device might advance threat actors’ intents to wreak havoc or serve as a middleman in attacking somebody else. None of those are the desired outcome for anyone looking to save on phone bills.

What we did

Our team analyzed hundreds of thousands of public-facing devices with VOIP/SIP functionality. We’ve excluded honeypots and identified which manufacturers have the most identifiable public-facing devices.

To determine which manufacturers had the most vulnerabilities exposed, we analyzed the MITRE CVE (Common Vulnerability Enumeration) database, a directory for publicly known information-security vulnerabilities and exposures.

The database is operated by MITRE corporation and has been functioning since 1999. Older CVEs are more likely to have been mediated, and newer ones are less so since developers might not yet patch them and, even more frequently, the firmware might not be updated by users.

Most devices

The most common manufacturer of VoIP/SIP devices in our research was Aastra-Mitel, with over 13 thousand public-facing devices. Aastra Technologies was acquired by Mitel Networks Corporation, a Canadian company, at the end of 2013.

Chinese Yealink ranked second on our list with 7,361 easily identifiable devices. Devices made by the US manufacturer Polycom, a subsidiary of Plantronics Inc., ranked third on our list with close to 6 thousand devices.

Another US manufacturing behemoth, CISCO, ranked fourth with 5,129 public-facing VoIP/SIP devices we’ve identified.

Even though it does not automatically mean that every single identifiable device is a threat, it does mean that the devices we’ve found are reachable from anywhere in the world through an IP protocol.

Most CVEs

For a deeper look at the safety of VoIP/SIP devices, we’ve taken a deep dive into the MITRE CVE database to cross-check which manufacturers have the most listed vulnerabilities. Fewer vulnerabilities that threat actors can act on a manufacturer has, the safer a public-facing device is.

Our team found out that out of 15 device manufacturers we’ve looked at, only three, Patton, Net2phone, and Fanvil, have not had any vulnerabilities for the devices listed in the MITRE CVE database.

We’ve discovered that one of the most recognized manufacturers, CISCO, had the most known CVE’s – 178. It’s worth noting, however, that only four CVEs are dated 2020 or 2021. Thus, it’s likely that the company patched most CVEs we’ve identified.

With 34 known CVEs, Latvian manufacturer Mikrotik ranked second. Our team also found out that Mikrotik has the highest number of recent CVEs among the manufacturers we took a look at.

Japanese manufacturer Panasonic was the third in terms of CVEs, with 24 we’ve found. Two of those can be categorized as recent. Other manufacturers with recent CVEs identified are US companies Digium and Grandstream.

It’s worth noting that comparing different companies is problematic since large corporations can have many different SIP-capable device models. That means that some device models are less vulnerable than others. However, identifying each device model for each manufacturer was not in the scope of this research.

Top locations

Looking at the information on identifiable VoIP/SIP devices, we could pinpoint exact locations of the devices. The vast majority of our findings are concentrated in 20 different countries.

Only five countries house more than 1,000 devices. The United States is firmly in the lead, with 9,715 VoIP/SIP machines connected to the internet. The United Kingdom takes second place with over 3,780 devices, followed by Canada with fewer than 2,000 devices.

We’ve also identified over 1.5 thousand devices in Russia and slightly more than 1,000 in Italy.

Interestingly, the US does not rank first when looking at data on specific cities where the machines are located. The city with the most public-facing devices is London with 1,960 devices, followed by Toronto with close to 1,200 devices.

The first American city on the list is unsurprisingly New York City, with 663 devices. South African metropolis of Johannesburg ranks fourth, and the Dutch capital of Amsterdam – fifth.

Location by manufacturer

Aggregated data, however, does not reveal a more precise picture as different manufacturers dominate in different markets. For example, our research identified 6,679 public-facing Aastra-Mitel devices in the US alone, followed by the UK with 3,185 machines.

Yealink devices were also most prominent in the US, with 1,183 VoIP/SIP devices. Russia was the second most popular location for the Chinese manufacturer with 790 devices, followed by China with 671 devices.

Unsurprisingly, with 2,284 devices, the US had the most significant Polycom presence as well. However, Brazil was a close second with 2,148 machines located in the country.

It is imperative that businesses keep their software and firmware of devices connected to the internet up to date. 

Telecommunication fraud is estimated to cause at least $12 billion losses, and SIP-capable VoIP devices are not immune to threat actors seeking to exploit vulnerabilities.

Failure to update the firmware can lead to compromise and loss of sensitive data or man-in-the-middle attacks which threat actors often use for business intelligence, ransom, and other malicious purposes.


Original post: https://cybernews.com/privacy/30-thousand-voip-devices-identifiable-worldwide/

Please vote Security Affairs as Best Personal cybersecurity Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VOIP)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment